Strong and Memorable Passwords
No matter the situation, you will need to remember at least one strong password. A new one, one that does not contain your name, or special dates, or hobbies: Make it a truly random sequence of regular words, separated by hyphens or commas. This passphrase is the one you'll use to access your password manager. You can use a tool like Proton's Password Generator to get a new one. Once you've come up with it, write it down on a piece of paper and keep it for some time until you've been able to produce it by heart a few times, then shred and dispose of it.
You will also need to remember passwords to unlock your devices, like your laptop and smartphone, and maybe also for your authenticator app if you use one. If that sounds like too much to remember, do not just give up. Make your passphrase a little shorter, maybe only three words, then add some ‘quirk’ to it representing the device or authentication app you are trying to access, so you only really need to remember one password. What's important is that you do not reuse it elsewhere on the web, and that it is eventually present nowhere but in your head.
Device Security
Your devices should require authentication when you power them on and when they wake up from suspension, and they should automatically lock after a short time of being unused. You should use the strongest form of authentication available on your device, which is typically a strong password plus biometrics.
Smartphones
Passwords
Set up a strong and memorable password on your device. On Android, this is done under Settings > Security > Screen Lock. Note that once biometrics is set up, your password will only be required after restarts, when making changes to security options, and also very occasionally to prevent you from forgetting it.
Biometrics
Biometrics allow you to unlock your device significantly faster, without sacrificing security. On Android, you can set it up under Settings > Security. Fingerprint recognition is preferable to facial recognition, as it doesn't suffer from false‐positives or inadvertent lockouts like the latter. Also, once you set it up it will become available as an authentication option for other apps as well.
Encryption
Modern smartphones have their internal storage automatically encrypted. This means that if you ever lose your phone, no one can see what is stored on it without decrypting it first with its encryption key, which is protected by your lock‐screen password and biometrics. On Android, you can check the encryption status under Settings > Security > Encryption.
Do not add a flash/SD memory card to your phone without immediately setting up encryption on it, which you may have to do manually.
Computers
If you use Linux, take a look into the ArchWiki about these topics. There's often a lot more of the basics to configure on that platform.
Passwords
Use a strong and memorable password to unlock your computer. If you have a Home version of Windows 11 use a Microsoft account to sign in, so that you get device encryption as well. This means that you will need to set up this password in your Microsoft account. If you have a Pro version, you can alternatively use a password manager for your Microsoft account and use a local account to log in to Windows, which is better for privacy. You can do either thing under Settings > Accounts > Your Info > Account settings / Related settings.
Biometrics (or PIN)
On Windows 11, this is set up in Settings > Accounts > Sign‐in Options > Windows Hello. Again, prefer fingerprint authentication. If biometric authentication is unavailable on your device, you can simply set up a PIN with at least 4 digits. It will not compromise your PC's security in any major way, since your OS will allow only a few attempts at it, then falling back to your proper password. You will be able to use your configured “Windows Hello” authentication on some apps too.
Encryption
Windows 11 Home will automatically encrypt your device when you set it up with a Microsoft account on first use. You can check the status, and enable it if available, on Settings > Privacy & Security > Device Encryption. On Windows 11 Pro you can more freely use the drive encryption feature or BitLocker to encrypt your system drive.
Encryption on a PC is quite important, since anyone could extract your storage drive, connect it to another computer and gain access to all your data if it is not encrypted.
Account Security
Strengthening the security of your accounts will make all the difference in the world, as long as the device you are using is not itself compromised: Never log in to important accounts or manage sensitive data on a device that you do not control.
Password Manager
Your password manager will be in charge of remembering the username and password of each account and service you use on the web. It will automatically generate unique and very strong passwords when you want to change a password for an account, store them, and then make them available when you need them, often inputting the password where it needs to go in a website during log in. While this greatly simplifies managing the logins of numerous accounts, it means that you need to pay special attention to securing your password manager: You will need to use your strong and memorable password here, and then set up multi‐factor authentication to log in to it (more about this further below).
I have used Mozilla Firefox's built‐in password manager and Proton Pass, and I can recommend both. Both will allow you to access your passwords on your computer and on mobile, they will automatically sync any changes, and they support multi‐factor authentication.
Firefox
If you decide to go the Firefox route, install the app on your computer and phone if you haven't done so already, then go to Settings > Sync and create a Mozilla account, and turn on sync of your passwords. You can configure the password manager feature on Settings > Privacy & Security. Proton Pass
If you want to go for Proton Pass, you will need to install the app on your phone, and the browser extension on your computer. A Proton account comes with a ton of goodies beyond the password manager (which may be more than you seek). Once you have created and secured your password manager account, this first time you will need to go through each and every account you use on the internet and change its password, generating a new one with your password manager and letting it store your username and new password for each account. This is not as tedious as it may sound, and it will enormously improve your online security in and on itself.
If you are unfamiliar with password managers, try this with a single account first, and once you are comfortable with the process proceed with the others. Make sure each time that the newly generated password was saved.
Recovery
Due to the great importance of your password manager account, you should set up a recovery method in case you are—somehow—ever locked out. Both the Mozilla and Proton accounts discussed earlier can generate a set of recovery codes that you should store securely in case you ever need them. You can compress the generated text file using 7‐zip, encrypting it in the process with a different password that you will not forget, and store it in your devices. You can also write the codes down in a piece of paper and keep it under lock.
Multi‐factor Authentication
Using strong and unique passwords on each of your accounts, facilitated by your password manager, is already quite good. But when it comes to your password manager account itself, your home‐banking, primary email or any service handling sensitive or highly valuable data, it is not enough. If one of your passwords were to be leaked for any reason, the account could immediately be compromised. In those cases—and ideally everywhere possible—you should use multi‐factor authentication (MFA), where in addition to requiring something only you know (a password), logging in will require something that only you possess (a device).
This secondary authentication factor can be getting an access code through SMS or an authentication app, which require that you have your smartphone with you to sign in to these sites, or a physical security key that you insert on a USB port when you need to log in.
SMS
SMS is straightforward—you need only be able to receive SMS messages on your phone. However, this MFA option is often discouraged or even unavailable due to it not being completely reliable, being costly for the service provider, and being less secure (someone could clone your SIM card and receive the SMS, for example). Still, if it's available and you prioritize simplicity, this may be a suitable option.
Authenticator Apps
Authenticator apps require you to install the app on your phone, scan a QR code generated by the service to be secured (such as your home banking or email provider), and keep a backup somewhere in case you ever lose your phone. Beyond that, they are very simple to use and it is pretty much always available as an MFA option. Google Authenticator is easy to use and will automatically manage backups if you log in with your Google account, which people often do on Android. A better option that I recommend is Aegis Authenticator, which is one of the best authenticator apps out there. Among other things, it allows you to lock the app itself and has more backup options.
Recovery
If you lose your phone, you can recover the MFA accounts on Google Authenticator by logging into your Google account on another phone with the app installed. If you use this method, make sure you add some other form of MFA to your Google account in particular, like backup codes. Aegis allows you to backup your MFA accounts using your Android device backup and recover it on another phone, or simply export an encrypted file with your accounts which you can load when you need to restore them.
Physical Security Keys
Physical security keys, like a Yubikey, are simple to use once set up—you just insert them into your phone or computer's USB(‐C) port when you need to authenticate, and you're done. The downside is that it is less commonly available as an option than authentication codes, and requires that you carry the key around wherever you go if it is your main form of MFA, risking losing it. I find it works well as a backup form of MFA, that you can keep stored in a secure place at home.‐